Gentoo Full Text Bug Listing

Bug 100398 - media-libs/netpbm Arbitrary Postscript Code Execution Vulnerability

Bug#: 100398	Product: Gentoo Security	Version: unspecified	Platform: All
OS/Version: Linux	Status: RESOLVED	Severity: normal	Priority: P2
Resolution: FIXED	Assigned To: security@gentoo.org	Reported By: folajimi@speakeasy.net
Component: Vulnerabilities
URL:
Summary: media-libs/netpbm Arbitrary Postscript Code Execution Vulnerability
Keywords:
Status Whiteboard: B2 [glsa]
Opened: 2005-07-26 13:02 0000

Description:

Opened: 2005-07-26 13:02 0000

Max Vozeler has reported a vulnerability in netpbm, which can be exploited by
malicious people to compromise a vulnerable system.

The vulnerability is caused due to pstopnm not using the "-dSAFER" option when
calling GhostScript to convert a PostScript file into a PBM, PGM, or PNM file.
This allows a malicious PostScript file to execute arbitrary commands on a
vulnerable system.

The vulnerability has been reported in version 10.0. Other versions may also be
affected.

Reproducible: Always
Steps to Reproduce:
1.
2.
3.




Solution:
Only use pstopnm on trusted files.

http://secunia.com/advisories/16184/

------- Comment #1 From Sune Kloppenborg Jeppesen 2005-07-26 13:11:47 0000 -------

graphics please advise.

------- Comment #2 From Karol Wojtaszek (RETIRED) 2005-07-27 01:46:29 0000 -------

Created an attachment (id=64419) [details]
Fix by debian

Patch proposed by Debian

------- Comment #3 From Thierry Carrez (RETIRED) 2005-07-29 03:12:44 0000 -------

graphics herd, please apply Debian patch

------- Comment #4 From Karol Wojtaszek (RETIRED) 2005-07-30 13:55:57 0000 -------

Bumped to 10.28 and patched ebuild is in portage. This release fixes also
insecure temp file in ppmtompeg.

------- Comment #5 From Sune Kloppenborg Jeppesen 2005-07-31 01:07:41 0000 -------

Arches please test and mark stable.

------- Comment #6 From René Nussbaumer 2005-07-31 03:03:37 0000 -------

Stable on hppa

------- Comment #7 From Markus Rothe 2005-07-31 05:16:08 0000 -------

stable on ppc64

------- Comment #8 From Fernando J. Pereda (RETIRED) 2005-07-31 06:08:29 0000 -------

Stable on alpha

Cheers,
Ferdy

------- Comment #9 From Tobias Scherbaum 2005-07-31 09:51:39 0000 -------

ppc stable

------- Comment #10 From Herbie Hopkins (RETIRED) 2005-08-01 03:18:02 0000 -------

Stable on amd64.

------- Comment #11 From Gustavo Zacarias (RETIRED) 2005-08-01 07:46:14 0000 -------

sparc stable

------- Comment #12 From Thierry Carrez (RETIRED) 2005-08-02 02:06:33 0000 -------

10.28 still misses hppa...
x86/maintainer: please also text and mark x86 stable

------- Comment #13 From Karol Wojtaszek (RETIRED) 2005-08-02 04:50:50 0000 -------

x86 done

------- Comment #14 From René Nussbaumer 2005-08-02 09:09:26 0000 -------

Stable on hppa again.

------- Comment #15 From Thierry Carrez (RETIRED) 2005-08-03 00:41:28 0000 -------

We must decide if we issue a GLSA on this one.

The problem here is that we consider as unexpected behavior the fact that
pstotext or pstopnm execute blindly the PS (potentially honoring the pipe
commands to execute arbitrary stuff). A behavior that we consider "as
documented" when it's for Ghostscript itself.

My position is that a vast majority of users won't know that pstotext and
pstopnm will execute Ghostscript in a way potentially allowing code execution,
so the GLSAs are justified. That said, they probably don't know that regular PS
files fed to Ghostscript also will. I would prefer -dSAFER enabled by default in
Ghostscript (which should come in a next version). Let's say GS is a
sufficiently low-level tool that its users know what they are doing, hence it's
not really considered a vulnerability ?

------- Comment #16 From Tavis Ormandy (RETIRED) 2005-08-03 00:51:10 0000 -------

I would normally vote no, but following the pstopnm issue we should probably 
glsa this one as well, so YES.

------- Comment #17 From Bryan Østergaard (RETIRED) 2005-08-04 14:43:21 0000 -------

Stable on ia64.

------- Comment #18 From Sune Kloppenborg Jeppesen 2005-08-05 01:10:13 0000 -------

Yeah pstotext sets a (bad?) precedent so I tend to vote Yes.

------- Comment #19 From Thierry Carrez (RETIRED) 2005-08-05 01:12:38 0000 -------

OK let's go then

------- Comment #20 From Thierry Carrez (RETIRED) 2005-08-05 04:02:00 0000 -------

GLSA 200508-04
arm and mips should mark stable to benefit from GLSA

------- Comment #21 From Aaron Walker (RETIRED) 2005-08-05 11:06:38 0000 -------

Stable on mips.